Microsoft Issues Two Security Patches, One For 'Critical' FlawMicrosoft Issues Two Security Patches, One For 'Critical' Flaw

Microsoft on Tuesday released two security bulletins as part of its monthly patch schedule.

Microsoft Security Bulletin MS08-001, rated "Critical," fixes a flaw in the way that Windows handles Transmission Control Protocol/Internet Protocol (TCP/IP) processing.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft explains. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1 and SP2, and Windows Vista are affected. The vulnerability is only rated "Moderate" for Windows 2000 users and "Important" for Windows Server 2003 users.

"The vulnerability affecting Windows Kernel TCP/IP IGMP could be significant depending on the user's firewall settings," said Ben Greenbaum, senior research manager Symantec Security Response said in an e-mailed statement. "This issue is compounded by the fact the user's computer may automatically reboot upon a failed exploit attempt, giving the attacker multiple opportunities to compromise the computer. Users should utilize firewall best practices, such as blocking IGMP packets, so their computers will not be at risk."

"This is definitely an interesting one," said Don Leatham, director of solutions and strategies for Lumension Security. "It's down in the TCP/IP kernel. That allows whoever exploits this to have control over the machine at the highest levels."

"This is the second month in a row that we have vulnerabilities that affect all [of Microsoft's supported] operating systems," said Amol Sarwate, manager of vulnerability research at Qualys. "The TCP/IP vulnerability is important not just cause it affects every Windows OS, but because the attack does not require any login credentials or a user to click on an Web page. And the consequences are pretty high."

Leatham said that organizations that use IP broadcasting to stream media and to collaborate should pay particular attention to this patch. "IP broadcasting is becoming more and more prevalent in the Web 2.0 collaborative environment," he said. "It's definitely something that shouldn't be ignored."

Microsoft Security Bulletin MS08-002, rated "Important," resolves a vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). Windows 2000 SP4, Windows XP SP2, and Windows Server 2003 SP1 and SP2 are affected. Windows Vista is not affected by this flaw.

LSASS helps manage local security, domain authentication, and Active Directory service processes.

Microsoft is addressing the LSASS issue by validating parameters passed to LSASS APIs.

Sarwate said that because exploiting the LSASS flaw requires valid login credentials, "it is something to be worried about but not as much as the first one."

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, said both vulnerabilities are significant in their own way. The TCP/IP flaw could allow an attacker to execute code remotely or to conduct a denial of service attack, he said. However, he added, the attack surface is fairly small since the multicast protocol required to exploit this flaw is not enabled by default and is often blocked.

The LSASS vulnerability itself, Schultz said, isn't terribly dangerous, since it requires a user to execute exploit code locally rather than over a network. But combined with another unpatched vulnerability in Internet Explorer, for example, the LSASS flaw could be used to compromise a machine from afar.

Not addressed this month was the WPAD vulnerability that Microsoft acknowledged last November. "Its omission is a little puzzling since many people have described the resolution as simple and it's been known for quite a while," said Andrew Storms, director of security operations for nCircle, in an e-mailed statement. "It may be that this vulnerability has been out long enough so that Microsoft already has a good sense of the attack method and they feel comfortable delaying based on their assessment of its risk in the wild."

And there's a RealPlayer vulnerability, for which exploit code exists, that has yet to be patched.

Microsoft also issued a security advisory aimed at improving the security protection in Windows Vista for Windows Sidebar gadgets. The advisory points to a document about safe Windows Sidebar gadget use.